Admin

Search

Feb

17

Ah, story points! The darling child of Scrum-style estimation. They have a lot to recommend them, in particular because of the many problems with using hours (ideal or otherwise) to estimate tasks. There are however some unspoken assumptions around using story points, which could catch the inexperienced or incautious team and cause significant problems. Do you know what’s assumed when you estimate your work using story points? Read more

Sep

10

While lots of sites on line describe adding the @Secured tag to your Spring Security-enabled web app, and some even describe role hierarchies, I was unable to find any that did so with JavaConfig. Most of them wanted to give me XML, which isn’t where I wanted to go today. Here’s what I’ve learned, in the hopes it saves you some time. Read more

Aug

24

In my time at a major insurance company in mid-state Illinois, we had a very interesting conversation on what it meant to be “done” with a user story. Done can mean a lot of things to a development team, anywhere from “hey, I just finished writing this code” to “we’ve turned on the feature in production.”

We created what we called a “spectrum of done” to illustrate various levels of “done-ness” (okay, enough with the “quotes”), and to help teams decide where they wanted to be when they said something was Done. Some of the highlights are:

Code compiles on the developers machine

Code compiles on a continuous integration build server

Code passes regression test suite

Functionality reviewed by the product owner/stakeholders

Functionality deployed into test environment and tested with mock integrations to other servers

Functionality deployed and tested with integrations to other real servers

Functionality deployed into production

Functionality used in production for some period of time

I submitted, only half-joking that we were really only Done with a feature when we turned the system off, because before that it was still subject to change or finding a problem.

There are a lot of reasons why you want your definition of Done to be as advanced as possible, but possibly the most important is that you want the best possible idea on whether you have anything left to do on a particular feature before it can be used in production. Measuring by what’s Done vs what’s not Done requires that you have a diminishing chance that when you say it’s Done, that there’s still something left to do.

The other side of this argument is that we want regular feedback on small chunks of functionality in order to give us regular data points to judge progress, and the amount of time you typically need to invest gets much bigger as you move up the Done scale. Deploying to production environments in the typical company requires change control procedures, and that means time and money.

The sweet spot for most folks seems to be in building on a shared development server, with some sort of robust suite of tests to assure that new functionality is at least working per the tests, and that nothing that used to work was broken (subject always to the suite of tests being reasonable). This most folks will recognize as Continuous Integration (although you should really read Continuous Integration isn’t a Tool!)

Keith returns to consulting on 9/1/11 after a year at RedSky Technologies. He’s currently looking for his next engagement.

Oct

22

The astute reader will have noticed by now that I haven’t posted anything in a while… back on September 1, I accepted a position as Vice President of Engineering for RedSky Technologies (http://www.redskye911.com), and it’s been keeping me pretty busy.

I’m going to keep Adept Technologies around, but don’t expect to be doing much with it for a while. I’ll continue to blog here off and on, but getting things working at RedSky is my current number one priority.

Thanks everyone for reading, and keep a look out for the occasional post here.

– Keith

Jul

16

I spend a lot of time talking to people about information security. I find that even when they’re interested in protecting their information from theft or misuse, they’re not always focused on the complete security picture. Today’s case in point is the report [via Gizmodo ] that thieves spent NINE HOURS stealing laptops from a government contractor, loading up two semi tractor trailers with computers before making their escape.

It does little good to pay attention to digital security if your physical security is weak. Security needs to be treated in a holistic fashion in order to be effective.

Jun

28

I’ve come to suspect that my blog is the victim of spambots that have decided they might be able to do something interesting if they sign up for an account. Maybe they think they get author privileges once they have an account, but I restrict that role to myself (at least for the moment). I’ve put up with it for a while, since I believe there’s no harm in them signing up, the only new superpower registered readers get is “subscribe,” I believe.

It’s been making me uncomfortable however, because I’ve not spent much time keeping up with any security concerns in WordPress (the underlying blogging platform), and since I get an email every time a new user registers, it’s never too far from my mind…

As a result, I decided today to turn off the “anybody can register” feature. I’m also debating going through my user rolls and deleting the obvious spambots (anybody in .RU for starters, since I can’t imagine I’m much interest to someone in Russia…)

In the event I do decide to start going all Stalin on the registered user rolls, I put up another post, so people can let me know if I delete them and they really were interested in having an account.

We now return you to your regularly scheduled web surfing, already in progress…

Mar

29

Over the few years, I’ve worked for or as a consultant for three different start-ups, and they’re a roller coaster. Two of those have gone out of business, and the third is my current client.

This morning, my client told me they are planning on managing their cash flow problem by making it at least partially mine: I’m back in the market looking for a new engagement, starting basically immediately. It’s the consultant’s life, I realize, but it really doesn’t make it that much more comfortable.

So, if you or someone you know is looking for a first-class Java architect (very hands-on), agile coach and/or application security specialist, please get in touch.

Feb

10

I spent the last two years working for a Very Large Insurance Company, and before that I’ve worked with a number of different sized companies, with various sized development organizations. It’s got me thinking: just how easy is it for a big development shop to be agile? Read more

Nov

4

I’ve gotten into several discussions in the last few months with various people who work at my current client, and a surprising number of them think that continuous integration is a tool. The conversation usually starts when someone says something like “We’d like to be doing continuous integration, but we can’t get the server set up correctly.” It’s a this point that I have to chime in and let them know they don’t understand continuous integration. Read more

and beans such as this would work fine, except for a subtle point: because we’ve listed two different beans, but the same class, we’d actually get two instances of the LoginAction created. Since typically we want only a single instance of our actions, this could cause unexpected and difficult to diagnose problems later.

In order to only create a single instance of the LoginAction class, you can use an alias in Spring. I’ve started creating a single bean for each action, the aliasing the Struts actions to that single instance, like this: